Security updates to wheezy-backports vs. -sloppy

To: debian-backports@lists.debian.org
Subject: Security updates to wheezy-backports vs. -sloppy
From: Colin Watson <cjwatson@debian.org>
Date: Sun, 17 Jan 2016 17:42:01 +0000
Message-id: <[🔎] 20160117174201.GA14438@riva.ucam.org>
Mail-followup-to: debian-backports@lists.debian.org

openssh/wheezy-backports needs to be updated for recent CVEs which were
fixed in 1:7.1p2-1.  I can upload a straightforward backport of
1:7.1p2-1 since it's now in testing, but this is newer than the version
in stable so it would have to go to wheezy-backports-sloppy.  (There are
also a few older CVEs from the 6.9 era which should be fixed, and these
have the same problem.)

Can somebody confirm that the correct procedure for this would be as
follows?

 * upload 1:6.7p1-5~bpo70+1 to wheezy-backports, based on 1:6.7p1-5 in
   jessie but with the addition of cherry-picked patches to fix security
   bugs
 * upload 1:7.1p2-1~bpo7+1 to wheezy-backports-sloppy and
   1:7.1p2-1~bpo8-1 to jessie-backports (not required, but I'd like to
   support this)

Mainly I just want to confirm that it's OK to cherry-pick security
patches in this way, rather than the alternative of telling
wheezy-backports users that they have to use wheezy-backports-sloppy to
get security fixes.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: Security updates to wheezy-backports vs. -sloppy
  - From: Christian Seiler <christian@iwakd.de>
- Re: Security updates to wheezy-backports vs. -sloppy
  - From: Christian Hofstaedtler <zeha@debian.org>

Prev by Date: Re: linux-image 4.3.3 bcache stability patches
Next by Date: Re: Security updates to wheezy-backports vs. -sloppy
Previous by thread: Re: linux-image 4.3.3 bcache stability patches
Next by thread: Re: Security updates to wheezy-backports vs. -sloppy
Index(es):
- Date
- Thread